Security as a business management challenge

Policies and processes are the foundation of a security program. However, failure to monitor for and enforce compliance renders these documents as useless as a wide-open firewall.

Yesterday I was trying to catch up with my backlog of unheard Security Now podcasts. (I've been recovering from a pesky clot in my right lung, so I've sort of been out-of-pocket.) In one of the episodes (#127), Steve Gibson discussed a message he received from one of his listeners. The frustrated correspondent told about how his CIO had issued an acceptable use policy that no one wanted to--or intended to--follow. One of the reasons given by his manager included not being told exactly how to implement the controls described in the policies (e.g. disk encryption)--a nice excuse to do nothing.

This isn't an uncommon problem. Many organizations draft comprehensive security policies that sit ignored on a shelf. This is not necessarily a technical issue. Rather, this is a business management problem.

Security policies and processes are no different from those governing business operations. In fact, managers and employees should view acceptable use policies just as they do operational policies. In environments where this occurs, security compliance monitoring and enforcement are integrated into day-to-day activities. Let's use HCR Manor Care, my employer, as an example of how this might look.

First, executive management made it very clear that HIPAA, and information security in general, is very important. Human Resources (HR) reinforces this during new hire orientation and annual awareness sessions with our existing 60,000 employees.

Second, Information Security, Legal, and HR worked together to create the existing security program. It consists of policies and processes related to technical activities as well as an acceptable use policy. The acceptable use policy covers the use of personal and company-owned devices, use of the network, and use of electronic services (e.g. email and Internet). This comprehensive guide for company information resource use is part of the HR policy manual and enforced via the standard HR disciplinary process.

We monitor for compliance in four ways.

Our internal controls team visits every facility each year. We've integrated certain key security controls into the internal control review.

Internal Audit dedicates an auditor to review policy and process outcomes within the IS department.

IS Security performs an extensive set of monitoring and review tasks as part of a daily checklist.

When a security policy violation is discovered, IS Security opens an incident investigation. We send the results of this investigation sent to the corporate HIPAA security officer, HR, and the managers of the employees involved. HR follows up to ensure managers take appropriate action.

This enforcement framework might not work for all organizations, but it works well for us. The key to our success, however, is manager and employee awareness that executive management expects secure business practices--no excuses.

Finally, there is the problem of the frustrated correspondent's technical manager stating that controls like disk encryption could not be implemented because the CIO didn't provide detailed guidance. For example, the CIO's policy stated that laptop drives must be encrypted. I don't know about you, but I like general policies. The more general the better.

Policies should describe business outcomes, not specific solutions. A good technical manager knows this. It is the manager's responsibility to determine how to get to the expected outcomes described in policies. If he or she expects details to come from the CIO, why does the organization need him or her? Using a lack of detail in a policy as an excuse to do nothing is at best simple laziness and at worst negligence.

Related White Papers

1 Comments

[Hope your lung problem is improving. And thanks for your link to Steve Gibson's and Leo Laporte's weekly Security Now podcasts. New to me and highly worthwhile.]

I have a client organisation that exhibits exactly the behaviour one if Steve's listeners spoke about. They have a good set of policies and procedures formally signed-off by their board of directors. But it is engrained in their corporate culture to by-pass these controls whenever urgent business needs provide the excuse for a workaround. Consequently no-one really takes security seriously. The ICT staff themselves are the ones who disregard security policies and procedures most often.

It is a culture that introduces rapid changes to their business services and underlying technology services with poor management of the interdependencies between all these initiatives. In their haste to achieve deadlines, that have been promised for introducing new technologies, security goes out the window.

I keep wracking my brain about how to help my clients get control of this risky behaviour. But so far my team's suggestions have been ignored.

Now, my company is negotiating to increase our services to this client organisation, extending our services contract to a full managed services wrap for their end-to-end infrastructure. In order to cover our business risks we must take steps to enforce compliance.

I'm interested in learning how your IS Security team performs an extensive set of monitoring and review tasks.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.